Forgive me if this has already been asked, I would greatly appreciate someone either taking the time to go through and explain the resolution, or pointing me to (explained like a 5yr old) steps.
I am receiving syslogs from my firewall which look something like:
id=SonicWallApollo sn=000000000000 time=“2019-01-11 16:59:49” fw=18.104.22.168 pri=5 c=0 m=760 msg=“TCP handshake violation detected; TCP connection dropped” n=5095186 src=22.214.171.124:52350:X7 dst=126.96.36.199:9100:X1 dstMac=aa:aa:aa:aa:aa:aa proto=tcp/9100 note=“Handshake Timeout” fw_action=“drop”
As you can see, it only creates 5 fields automatically - “facility” , “level” , “message” , “source” , “timestamp”
I would like to split the “message” field into:
etc etc etc for all the fields.
I understand I need to use extractors to do this, but cant for the life of me work out how to use REGEX / GROK etc (whatever I should be using) to do this.
If I just use a whitespace character, fields like “msg” and “time” don’t get split properly, because they contatin a space…
So I thought I’d ask the wonderful community!
Can anyone explain how to go about splitting this into multiple sections?
Thanks in advance,